CloudBees Jenkins Platform 2.346.1.4

RELEASED: June 22, 2022

Security advisories

CloudBees Security Advisory - June 22, 2022

Security fixes

Encrypt JGroups HA network messages (BEE-16793): Before this fix, the communication between HA nodes regarding the election of the primary node was not encrypted.

With this fix all the underlying JGroups communication is encrypted. Refer to the Upgrade notes for more information.

Security vulnerabilities were fixed and backported from Jenkins (BEE-16872): Refer to CloudBees Security Advisory June 22, 2022 for more information.
Security vulnerabilities were fixed and backported from Jenkins (BEE-18590): Refer to CloudBees Security Advisory June 22, 2022 for more information.

New features

New update log for applied bundles (BEE-10576)

When a new version of the bundle is available and it is not valid, it is rejected and not applied.

A history of the updates is stored in the JENKINS_HOME directory and it is displayed in a new page. The validated version can also be downloaded with a report of the validation messages.

For more information, refer to the following topics:

New CLI and HTTP endpoints for bundle update log (BEE-10575)

The existing casc-bundle-check-bundle-update CLI was updated to display information about the validations of the current bundle and the new available bundle version.

The existing JENKINS_URL/casc-bundle-mgnt/check-bundle-update endpoint was updated to display information about the validations of the current bundle and the new available bundle version.

A new casc-bundle-update-log CLI was added to retrieve the same information that is displayed in the Update Log tab through the command line.

A new JENKINS_URL/casc-bundle-mgnt/casc-bundle-update-log endpoint was added to retrieve the same information that is displayed in the Update Log tab through an HTTP call.

For more information, refer to the following topics:

New CLI command to validate a bundle on an instance (BEE-16165)

A new CLI command allows you to validate a bundle on an instance. The bundle has to be a .zip file and the output is a JSON response that displays the following:

Validity of the bundle
List of validation messages

For more information, refer to Configuration as Code (CasC) CLI.

New HTTP endpoint command added to validate a bundle on an instance (BEE-16166)

A new HTTP endpoint lets you validate a bundle on an instance. The bundle has to be a .zip file and the output is a JSON response that displays the following:

Validity of the bundle
List of validation messages

For more information, refer to Configuration as Code (CasC) HTTP API.

Analytics collected about CasC bundles (BEE-16835)

The following new metrics about the stored CasC bundles are collected:

When the instance is started and configured. False if the instance has been previously started.
If the bundle does the following:
- Configures the Jenkins configuration. False if the CasC bundle does not configure the instance.
- Creates and updates items. False if the CasC bundle does not handle items.
- Configures RBAC. False if the CasC bundle does not configure RBAC.
- Allows the resolution of environment variables within the configuration files. False if the CasC bundle does not allow the variable resolution.
- Installs plugins in the instance. False if the CasC bundle does not install plugins.
- Allows the install of a plugin catalog. False if the plugin catalog is not supported in this instance.
- Installs a plugin catalog in the instance. False if the CasC bundle does not install a plugin catalog.
  
  For more information on how to check this on your running instance, refer to Data collection for the CloudBees Analytics Plugin.

Feature enhancements

Define the jcasc merge strategy in the bundle (BEE-14984): The Configuration as Code (CasC) plugin merge strategy can be now defined in the bundle.yaml file. The optional field jcascMergeStrategy lets users set both strategies to errorOnConflict or override.

For more information, refer to Creating a CasC bundle for controllers.

Added new validations when the new version of a bundle is available (BEE-17161)

When a new version of a bundle is available, the following new validations are performed:

jenkins.yaml file
items.yaml file
rbac.yaml file
pluginc-catalog.yaml file
plugins.yaml file

If this new version has validation errors, it is rejected and not applied.

The check-bundle-update CLI and HTTP API returned different responses if a restart is required to apply an upgrade (BEE-17173)

The CLI command and the HTTP API endpoint now return the same information, including if the upgrade requires either a restart of the instance or a reload of the bundle.

Added the new available version in the Bundle update tab and in the administrative monitor (BEE-18026)

When a new version of the bundle is available, the Bundle update tab in the CloudBees Configuration as Code export and update page and the administrative monitor did not display the new version number. Now, this new version number is displayed as part of the message.

The validation result of the current version is always visible (BEE-18027)

The validation status of the currently installed version is now always visible on the Bundle update tab in the CloudBees Configuration as Code export and update screen and not only when it had errors or warnings.

Modernized and updated the logos in the CasC plugins (BEE-19561)

Replaced the outdated CloudBees icons with updated menu icons.

Standardized how to configure NoTriggerBranchProperty (BEE-9069)

The behavior of NoTriggerBranchProperty can be confusing. The property disables index triggers and source control management (SCM) event triggers. In this release, a new configuration option was added that allows you to suppress none, both, or only one type of trigger.

For more information, refer to BranchPropertyStrategy objects.

Resolved issues

The plugin catalog proxy did not recognize the noProxyHost configuration (BEE-9352): The Maven repository host is correctly extracted now and it allows the `noProxyHost`option to be used correctly. This issue has been resolved.
The oome.md file has an absolute path in the support bundle (BEE-11346): The oome.md report incorrectly used an absolute path inside the bundle.

This issue has been resolved, the path is now relative.
GitHub org icon broken when using an internal GitHub Enterprise server (BEE-17176): When you define an organization folder for a GitHub organization hosted on a GitHub enterprise server, and this instance is configured to disallow anonymous access, the organization folder icon will break. Now, it fallbacks to the default icon in the previous situation.
Backup download from S3 is interrupted (BEE-17725): The backup download from S3 was being interrupted before the transfer was complete. The interruption occurred because the AWS TransferManager object was being garbage collected prematurely.

With this fix the object is correctly kept in memory and the transfer finishes as expected.
The GitHub API has deprecated the Team API endpoint causing a loss of functionality in the GitHub branch source plugin (BEE-17908): The code has been updated to use the new replacement endpoints and it restores the functionality.
The Blue Ocean wizard did not support Bitbucket cloud for creating projects (BEE-18180): The bitbucket.org REST API URL in Blue Ocean has been fixed. This issue has been resolved.
Unable to correctly read JENKINS_HTTPS_KEYSTORE_PASSWORD from systemd config file (BEE-7171): The JENKINS_HTTPS_KEYSTORE_PASSWORD was not properly passed to the underlying jvm process.

This fix properly wraps the underlying parameter value with double quotes.
Update styles in the help icon (BEE-15990): The help icon in Event Status for the CloudBees Software Delivery Automation Analytics page was using an outdated style. It is now using the updated style from Jenkins Core.
Anticipating Jenkins Core LTS 2.346 (BEE-16212): The Role Matrix screen was adapted to be compatible with UI changes from Jenkins LTS 2.346.
Domain specifications were not exported when using the CasC export item on the folders (BEE-16665): The domain specifications are now exported with the folders.
ComputedFolder items cannot be disabled/enabled via CasC (BEE-16794): ComputedFolder items (Multibranch and OrganizationFolder) can now be disabled/enabled with the following property:

disabled: true | false

If the disabled property is not indicated, the item remains in the status it was before applying the bundle if there are existing items, and it defaults to false (enabled) for new items.
Bundle directory itself is detected as not referenced in Kubernetes (BEE-17162): The not referenced/unreferenced files test condition is done incorrectly. The issue has been resolved.
When applying environment variables to a CloudBeesTemplatedJob, the variables are not being replaced (BEE-17379): Variables are now replaced in CloudBeesTemplatedJobs.
Removed ComputedFolderItem from the controller plugin as it already exists in the commons. Also, remove the Not for external use tag in the commons. (BEE-17546): Removed ComputedFolderItem from the controller plugin and removed the Not for external use tag in the commons.
CasCBundlesSyncBuildStep and bundle storage should not be enabled at the same time (BEE-17912): You can avoid bundle storage corruption if the build step is executed at the same time a System Config Configuration as Code (CasC) bundle location is active. In that case, the build step fails.
The HTTP endpoint and CLI command to validate bundles always marked the bundle as invalid (BEE-17927): When a valid bundle was assigned to a controller, the validate-uploaded-bundle endpoint and the casc-uploaded-bundle-validate CLI command were always marked as invalid. This issue has been resolved.
Removed jenkins/security/QueueItemAuthenticatorMonitor from Jenkins core (BEE-18106): This monitor was causing a start up error (java.lang.ClassNotFoundException: jenkins.security.QueueItemAuthenticatorMonitor).

The issue has been resolved. The CloudBees CI monitor about build isolation no longer references the open source one.
Controller security settings were not disabled when enforced from the operations center (BEE-18805): A change to the HTML DOM in Jenkins caused security-related UI features to incorrectly appear to be enabled on controllers.

This issue has been resolved. The security-related UI features are now properly disabled on the controller when security settings are enforced on the operations center. Note that, although the features appeared enabled, they were not functioning on the back end, so this was not a security issue.
Move/Copy/Promote dialog expanded (BEE-18819): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 update.

The height of the Move/Copy/Promote dialog was expanded to make the Close button visible.
Applied compatibility fixes to the Operations Center Context Plugin (BEE-18900): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 update.

In this release, the UI compatibility issues were fixed for the Operations Center Context Plugin.
Avoid optional updates on jobs based on templates (BEE-18903): When a job is based on a template, CasC will not update it unless the attributes in the instance are different than the attributes in the items.yaml file.
Terminology updates (BEE-18908): CloudBees is updating terminology to remove offensive text. During this ongoing initiative, “controller” replaces “master,” “agent” replaces “slave,” “allowlist” replaces “whitelist,” and “denylist” replaces “blacklist.”

In this release, on the shared agent’s Configuration page, the first option in the “Launch Method” dropdown menu was renamed to remove the offensive text.
Fix a reconnection edge case when using websockets (BEE-19031): Windows agents connected through websockets may not reconnect, as the controller thinks they are still connected.

This fix implements a similar approach to what was already implemented for inbound TCP agents to detect such cases and allow the agent to reconnect successfully.
User interface (UI) updates (BEE-19301): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed for the CloudBees Role-Based Access Control Plugin.
User interface (UI) updates (BEE-19302, BEE-19304, BEE-19306, BEE-19308, BEE-19309, BEE-19311, BEE-19312, BEE-19314, BEE-19317, BEE-19318, BEE-19319, BEE-19328, BEE-19562, BEE-19570, BEE-19571, BEE-19910, BEE-20202): CloudBees is addressing all anticipated UI compatibility issues with the Jenkins LTS 2.346 upgrade.
User interface (UI) updates (BEE-19313): CloudBees is addressing all anticipated UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, general navigation issues were fixed.
User interface (UI) updates (BEE-19316): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed for the CloudBees Pipeline: Groovy Checkpoint Plugin.
User interface (UI) updates (BEE-19322): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed for the CloudBees CasC Server Plugin.
User interface (UI) updates (BEE-19327): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed for the CloudBees Skip Next Build Plugin.
User interface (UI) updates (BEE-19329): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed for the User Activity Monitoring Plugin.
User interface (UI) compatibility issue with Jenkins LTS 2.346 (BEE-19518): CloudBees is addressing UI compatibility issues with the Jenkins LTS 2.346 upgrade.

In this release, the UI compatibility issues were fixed by updating the SAML plugin.
Fixed a Jenkins user interface (UI) core regression (BEE-19519): Fixed a UI regression in Jenkins core causing Save and Apply buttons to appear above contextual menus.
Clone URLs are not being identified when receiving webhooks (BEE-19915): Clone URLs (HTTP URLs ending in .git) are now also extracted from the GitHub event and the remotes using it are identified.

Known issues

Jenkins logs are not appended to the service log file in an RPM installation that uses Java 8 (BEE-20636): If you use an RPM to upgrade the product while using Java 8, the Jenkins logs are no longer appended to the following configured service log by default: /var/log/cloudbees-core-[cm|oc]/cloudbees-core-[cm|oc].log

You should migrate to Java 11 to resolve this issue. For more information, refer to Migrating to Java 11.

Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722): If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.
Jobs based on templates are not created using the correct template (BEE-19032): When a job based on a template is created using CasC, the template used is a random one of the same type instead of the one that was selected.
The CasC bundles synchronization step will be deprecated in February 2023 (BEE-17915): A message about the step deprecation appears in every job’s execution logs and also on the configuration screen when a new job is defined.

Upgrade notes

Encrypt JGroups HA network messages (BEE-16793)

The keystore used for encryption is automatically generated on startup, so there is a risk of multiple HA nodes trying to create the file at the same time if they are all restarted together. To avoid this, restart one of the HA nodes (any node is acceptable) and then restart the others.

If you are using a custom jgroups.xml file, then add the following snippet to it to get message encryption:

<SYM_ENCRYPT sym_algorithm="AES"
keystore_name="${JENKINS_HOME}/jgroups_sym_encrypt.keystore"
store_password="changeit"
alias="jgroupsKey" />▼

User Activity Monitoring Plugin database update (BEE-14611)

In the 2.332.3.2 release, the User Activity Monitoring Plugin was updated to use a new database. The new database is installed automatically when you upgrade to version 2.332.3.2 or later; however, historical data tracked by the plugin will not migrate to the new database. You may continue to use the User Activity Monitoring Plugin normally and user activity will be captured again, or you can migrate the data from the old database if you need historical data.

For more information about migrating the historical data, refer to Migrating historical User Activity Monitoring Plugin data.

Migration to Java 11 will soon be required for new releases (BEE-42)

The Jenkins community will support the Java 11-specific features soon (Java 11 byte code) and then you cannot use a Java 8 runtime environment. Because CloudBees Jenkins Platform is based on the Jenkins LTS, future releases of CloudBees Jenkins Platform will have the same requirement.

CloudBees strongly recommends that you upgrade your CloudBees Jenkins Platform environment to run Java 11 as soon as possible. Some of the Java 11 updates may require action on your part, and there may be a specific order in which you should upgrade components in your environment. For more information, refer to Migrating to Java 11.

Updated support for the new LTS 2.346 (BEE-16160): Support was added for the new Jenkins LTS 2.346 release. The minimum required Jenkins version is now 2.303.
When you upgrade to Java 11, you must update your Java garbage collection arguments (BEE-16018): Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.

For more information, refer to Adding Java arguments to the Jenkins service configuration file.
Jenkins upgrade notes: Jenkins 2.346 upgrade notes